Speare reports possible breach of private info
Posted: Tuesday, May 3, 2011 6:00 am | Updated: 6:54 am, Tue May 3, 2011.
PLYMOUTH - Speare Memorial Hospital reported Monday that a laptop computer containing protected health information was stolen from an employee's locked, parked automobile on April 3.
The theft, which was reported to the hospital's Information Systems Department on April 4, could potentially affect just under 6,000 people, according to Michele Barney Hutchins, community relations director at Speare.
She said letters were sent to 5,994 patients last week, as soon as the Information Systems Department had identified what exactly what had been on the computer and who might be affected.
The process took some time, which is why there was a delay between the incident and patients being notified, Hutchins said, adding "obviously, an information gathering and culling process had to take place in order to notify people."
The computer was password protected but that does not afford complete security from unauthorized access. The protected health information included patient names and, in some instances, patient addresses, hospital account numbers, medical record numbers, physician names, dates of service, procedure codes, and diagnosis codes.
Hutchins said except for one case, the potentially compromised information does not include patients' social security information, credit card information or health insurance information.
The exception is that, in one file which was separate from the rest, a person's social security number was included. That person has been notified separately, Hutchins said.
Hutchins said the laptop had been assigned to an employee who was traveling and who had left the computer in her locked, secured vehicle when it was stolen.
Hutchins said it is not unusual for employees to work remotely; however, patient files are usually accessed via a secure network, not downloaded onto a computer's hard drive, as was the case with the stolen laptop.
Hutchins said she is not sure why the information had been downloaded.
"It should not have been on the computer," Hutchins said. "Clearly this should not have happened and we do not want it to happen again."
The employee has since resigned, she added.
In addition, the hospital has hired experts to identify additional safeguards to strengthen current security protocols.
Hutchins said a police report was filed immediately following the incident, but to date, the computer has not been recovered.
Hutchins said this is first time something like this has happened.
Michelle McEwen, Speare Memorial Hospital's president and chief executive officer said Monday that the Hospital will be monitoring for any indication of misuse of information and has encouraged patients to review their future hospital account statements closely.
"Speare Memorial Hospital understands that safeguarding confidentiality is fundamental to our mission, and we are taking measures to ensure this does not happen again," McEwan said. "Patients with questions or concerns regarding this matter are urged to contact us."
For questions related to the potential loss of protected health information, contact the hospital directly at 866-331-1226 or via e-mail: firstname.lastname@example.org.
PLYMOUTH - Speare Memorial Hospital melaporkan Senin bahwa komputer laptop yang berisi informasi kesehatan dilindungi dicuri dari seorang karyawan itu terkunci, mobil diparkir pada tanggal 3 April.
Pencurian, yang dilaporkan rumah sakit Sistem Informasi Departemen pada tanggal 4 April berpotensi mempengaruhi hanya di bawah 6.000 orang, menurut Michele Barney Hutchins, direktur hubungan masyarakat di Speare.
Dia mengatakan surat yang dikirim ke 5.994 pasien pekan lalu, segera setelah Sistem Informasi Departemen telah mengidentifikasi apa sebenarnya apa yang telah di komputer dan yang mungkin akan terpengaruh.
Proses ini memerlukan waktu, itulah sebabnya mengapa ada penundaan antara insiden dan pasien diberitahu, Hutchins mengatakan, menambahkan "jelas, pertemuan informasi dan proses pemusnahan harus terjadi dalam rangka untuk memberitahu orang."
Komputer itu dilindungi password tapi itu tidak mampu keamanan yang lengkap dari akses yang tidak sah. Informasi kesehatan dilindungi termasuk nama pasien dan, dalam beberapa hal, alamat pasien, rumah sakit nomor rekening, nomor rekam medis, dokter nama, tanggal pelayanan, kode prosedur, dan kode diagnosis.
Hutchins mengatakan kecuali untuk satu kasus, informasi yang berpotensi dikompromikan tidak termasuk jaminan sosial pasien informasi, informasi kartu kredit atau informasi asuransi kesehatan.
Pengecualian adalah bahwa, dalam satu file yang terpisah dari yang lain, nomor jaminan sosial seseorang dimasukkan. Orang itu telah diberitahu secara terpisah, kata Hutchins.
Hutchins mengatakan laptop telah ditugaskan untuk seorang karyawan yang sedang dalam perjalanan dan yang telah meninggalkan komputer dalam kendaraan nya terkunci, dijamin ketika dicuri.
Hutchins mengatakan tidak biasa bagi karyawan untuk bekerja jarak jauh, namun, file pasien biasanya diakses melalui jaringan yang aman, tidak di-download ke hard drive komputer, seperti yang terjadi dengan laptop curian.
Hutchins mengatakan dia tidak yakin mengapa informasi itu sudah diunduh.
"Ini seharusnya tidak di komputer," kata Hutchins. "Jelas ini seharusnya tidak terjadi dan kita tidak ingin itu terjadi lagi."
Karyawan sejak mengundurkan diri, tambahnya.
Selain itu, rumah sakit telah mempekerjakan ahli untuk mengidentifikasi perlindungan tambahan untuk memperkuat protokol keamanan saat ini.
Hutchins mengatakan laporan polisi diajukan segera setelah insiden itu, namun sampai saat ini, komputer belum pulih.
Hutchins mengatakan ini adalah pertama kalinya sesuatu seperti ini terjadi.
Michelle McEwen, presiden Speare Memorial Hospital dan CEO mengatakan hari Senin bahwa Rumah Sakit akan memantau untuk setiap indikasi penyalahgunaan informasi dan telah mendorong pasien untuk mengkaji ulang pernyataan rumah sakit akun masa depan mereka erat.
"Speare Memorial Hospital memahami bahwa kerahasiaan merupakan dasar untuk menjaga misi kami, dan kami mengambil langkah-langkah untuk memastikan hal ini tidak terjadi lagi," kata McEwan. "Pasien dengan pertanyaan atau keluhan mengenai hal ini didesak untuk menghubungi kami."
Florida Hospital privacy breach: Workers accessed ER patient information
3 employees terminated
more than 2,000 patients notified by mail of breach
September 30, 2011|By Kate Santich and David Breen, Orlando Sentinel
Florida Hospital tried to reassure patients Friday that a breach of its electronic medical records spanning 20 months was limited to certain patients and not used for identity theft.
Instead, the intent of the breach — which targeted emergency-room patients who were involved in motor-vehicle accidents — appears to have been to pass the information on to an attorney-referral service. However, neither the hospital nor the Osceola County Sheriff's Office, which continues to investigate the incident, could confirm the motive.
The problem came to the hospital's attention, according to hospital spokeswoman Samantha O'Lenick, when a woman who had been in a car accident complained that she had been contacted by a lawyer referral service — and there apparently was no other way for the service to have obtained her personal information.
The breach occurred between January 2010 and Aug. 15, 2011, O'Lenick said. All 2,252 patients whose records were subject to "inappropriate access" are being contacted by mail.
The hospital has fired the three employees involved, all of whom were nonmedical personnel whose records indicated no previous disciplinary actions. On Sept. 6 the matter was referred to both the Osceola County Sheriff's Office and the FBI. The hospital did not further publicize the situation until Friday, when it took out a public notice to alert patients who might overlook the news in their mailbox.
"Certainly we do criminal background checks [when people are hired]," said O'Lenick, who would not release the names of the employees because of the ongoing investigation. "But I think what's more important is to lock the system down so [nonessential] employees don't have access to that information. I think it can be enticing at times for people."
O'Lenick said the hospital already has restricted such access.
The original breach occurred at the company's hospital in Celebration, although the employees involved had access to patient files in Osceola, Orange and Seminole counties.
"We deeply regret that this happened," O'Lenick added. "And we want to assure our patients and the community that we're taking it super-seriously, and we're providing all kinds of support services to demonstrate to them that we take that very seriously."
Despite the lack of evidence that identity theft was the motive, the hospital has established a help line — 1-855-366-0141 — for victims to call to set up free identity-theft prevention, credit monitoring and any credit restoration that might be needed.
O'Lenick called the move "an abundance of caution" because the perpetrators had access to the patients' names, dates of birth, social security numbers and insurance information — everything that would be needed to steal a person's identity.
While no arrests have yet been made, Osceola sheriff's spokeswoman Twis Lizasuain said the three employees could face third-degree felony charges under Florida law if they passed along the information to an outside party. An investigator with the sheriff's economic crimes unit is working with the hospital's corporate data security officials to pursue the case.
Data security was able to identify the employees by tracking access codes and tracing the pages viewed.
As the federal government pushes to move more medical records online, the breach is likely to make some patients nervous.